Skip to main content

Garmin WDU CVE-2025-27851

| EUVDEUVD-2025-209829 CRITICAL
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-13 mitre GHSA-frpq-7mr9-hx8p
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 16:22 vuln.today
CVSS changed
May 14, 2026 - 16:22 NVD
9.3 (CRITICAL)
CVE Published
May 13, 2026 - 00:00 nvd
CRITICAL 9.3
CVE Published
May 13, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including administrative settings. This allows a network attacker to take full control of a WDU. To initiate an exploit of this vulnerability, the victim must (1) be utilizing a web browser on a multihomed host that has local interfaces on the Garmin Marine Network as well as another network, and (2) access a malicious third party website created by the attacker.

AnalysisAI

Cross-site WebSocket hijacking in Garmin WDU v1 1.4.6 and v2 5.0 allows remote attackers to gain full administrative control of the marine network device. Exploitation requires the victim to browse a malicious website while connected to both the Garmin Marine Network and another network simultaneously. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, but CVSS 9.3 reflects severe potential impact when conditions are met - this is a high-impact, low-probability threat primarily relevant to maritime environments with dual-network configurations.

Technical ContextAI

The Garmin Wireless Display Unit (WDU) is a marine navigation display that operates a locally-served web interface for configuration and control. The vulnerability stems from CWE-352 (Cross-Site Request Forgery), specifically manifesting as cross-origin WebSocket hijacking. WebSockets, unlike traditional HTTP, do not enforce same-origin policy restrictions by default, requiring explicit origin validation by the server. The WDU's WebSocket endpoint accepts connections without validating the Origin header, allowing a malicious website to establish a WebSocket connection from the victim's browser to the local WDU interface. Since the browser automatically includes authentication cookies or credentials, the attacker gains authenticated access to administrative WebSocket commands used to control device settings.

RemediationAI

Contact Garmin support at https://garmin.com for firmware updates addressing CVE-2025-27851 - specific patched firmware version not independently confirmed from available data sources. Until patching is completed, implement network segmentation to isolate the Garmin Marine Network from general-purpose computing devices with internet access, preventing the dual-network prerequisite required for exploitation. Configure firewall rules to block outbound WebSocket connections from marine network interfaces to external networks. Disable the WDU's web management interface when not actively needed for configuration tasks. Deploy browser extensions or endpoint policies on multihomed systems to restrict WebSocket connections to trusted origins only. Note that network isolation is the most effective compensating control but may impact legitimate remote monitoring workflows if marine operators require simultaneous access to vessel networks and external resources.

Share

CVE-2025-27851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy